Important: Before you can configure the settings described here, you'll first need to enable mobile management in Advanced mode. For details, see the sections below.

Mobile management

Mobile management allows you to configure device policies that determine how your users can use their mobile devices in your fleet. Mobile management enables you to secure corporate data, take remote actions, and manage applications on mobile devices in your organization.

Unless you have mobile management enabled:

You can’t wipe corporate data from a device if it’s lost or stolen.

You can’t apply policies or manage the device from the Admin console.

Devices aren’t listed in the Admin console.

Setting mobile management to Advanced is recommended. For more details, see the table below.

Setting

Mobile management

Status

Specifies the number of organizational units where mobile management is disabled

As you enable mobile management, you can choose the level of control (Basic/Advanced/Custom) depending on your organizational policy. Before you can configure many of the settings described in the sections below, you'll need to enable mobile management in Advanced mode.

How to enable mobile management

In the Google Admin console, go to Device management > Setup > Mobile Management. You can then enable mobile management while choosing between the Basic, Advanced, and Custom options. To make sure you can configure the security settings described in the sections below, choose Advanced.

Blocking of compromised mobile devices

Configure mobile management settings to block the use of compromised Android mobile devices for all of your users. Indications of compromise might include, for example, the presence of an unlocked boot loader, the use of a custom read-only memory (ROM), or the presence of a superuser binary on the device. This setting is currently supported only on Android devices.

For more details, see the table below.

Setting

Blocking of compromised mobile devices

Status

Specifies the number of organizational units where the blocking of compromised mobile devices is disabled

Recommendation

Make sure you have enabled mobile management in Advanced mode, and then configure your settings to block compromised Android devices for all of your users. This reduces data leak, malware, and malicious insider risks.

A user with a compromised device (for example, if it’s rooted/unlocked) will be blocked and will not be able to use their mobile device to access corporate data for their Google service (such as G Suite or Cloud Identity). Users receive a notification telling them that their device has been blocked, and they are instructed to contact their domain administrator.

Mobile password requirements

If mobile management is enabled for an organization, you can require users to set a password for a mobile device and configure the settings for password strength, expiration, password reuse, locking, and device wipeout settings.

For more details, see the table below.

Setting

Mobile password requirements

Status

Specifies the number of organizational units where users are not required to set up a password for their mobile devices

Recommendation

Make sure you have enabled mobile management in Advanced mode, and then require users to set up passwords for mobile devices. Configure settings for password strength, expiration, password reuse, locking, and device wipeout settings. This reduces the risk of data leaks in case devices are lost or stolen.

Your users will be required to set up a password for using their mobile device. In addition, if you configure password strength, expiration, password reuse, locking and wipe-out, this will affect your users’ password selection process as well as what happens when the password is entered incorrectly.

Device encryption

If mobile management is enabled for an organization, you can encrypt data on Android mobile devices that allow encryption. For more details, see the table below.

Setting

Device encryption

Status

Specifies the number of organizational units where encryption is not enforced for users’ mobile devices

Recommendation

Make sure you have enabled mobile management in Advanced mode, and then configure your settings to encrypt data on Android mobile devices that accept encryption. This reduces the risk of data leaks in case mobile devices are lost, stolen, or sold.

Enabling this setting will help reduce data leak risks in case your user’s mobile device is lost, stolen, or sold. Note that some users might report that encrypting the mobile device data has some effect on performance, especially on older, slower phones.

Mobile inactivity reports

If advanced mobile management is enabled for an organization, you can get a monthly report of unused company-owned Android devices that haven’t synchronized any work data in the last 30 days. The report is automatically emailed to all super administrators. You can add other recipients if you want. Recipients can download the file to check for unused devices and see who last signed in with them.

For more details, see the table below.

Setting

Device inactivity reports

Status

Specifies the number of organizational units where mobile inactivity reports are disabled

Recommendation

Make sure you have enabled mobile management in Advanced mode, and then enable the sending of monthly reports to super-admins of inactive company-owned devices that haven’t synchronized any work data in the last 30 days. This reduces your risk of data leaks if you choose to disable the inactive accounts.

Enabling this setting will not have a direct effect on your users. Once you review the report, you’ll have the option to disable inactive accounts. This will prevent the affected users from using their company owned device until the account has been reactivated.

Auto account wipe

If mobile management is enabled for an organization, you can turn on the Auto Account Wipe setting for all of your users to automatically remove corporate account data from the mobile device when a device reaches a specified number of days of inactivity.

For more details, see the table below.

Setting

Auto account wipe

Status

Specifies the number of organizational units where Auto Account Wipe is not turned on

Recommendation

Make sure you have enabled mobile management in Advanced mode, and then turn on the Auto Account Wipe setting for all organizational units. This automatically removes corporate account data from the mobile device when a device reaches a specified number of days of inactivity (choose a number of days that aligns with your organization’s mobile usage policy). This reduces your risk of data leaks.

If your users have been inactive on their mobile device for a number of days greater than the one specified in the setting, their account is removed from the device. Users are prompted to reconnect to the Internet and sync the device before the system removes the account. The user will need to reconfigure this account the next time they sign in to the system using this device.

Application verification

If mobile management is enabled for an organization, you can enforce application verification for all of your users. This allows your users to install applications only from known sources, and periodically scans devices for potentially harmful apps.

For more details, see the table below.

Setting

Application verification

Status

Specifies the number of organizational units where mobile application verification is not enforced

Recommendation

Make sure you have enabled mobile management in Advanced mode, and then enforce mobile application verification for all organizational units. This allows your users to install applications only from known sources, periodically scans devices for potentially harmful apps, and reduces the risk of malware and data leaks.

If you enforce application verification, your users will only be able to install and run verified apps.

Installation of mobile applications from unknown sources

If mobile management is enabled for an organization, you can allow the installation of non-Play Store apps from unknown sources. Disabling this setting requires the installation of apps only from known sources.

For more details, see the table below.

Setting

Installation of mobile applications from unknown sources

Status

Specifies the number of organizational units where the installation of mobile applications from unknown sources is allowed (the Allow non-Play Store apps from unknown sources box is checked)

Recommendation

Make sure you have enabled mobile management in Advanced mode, and then require your users to install mobile applications only from known sources (for example, from Play Store).

Your users will be able to install mobile applications only from known sources. If they try to install an app from an unknown source, they will receive an error message.

External media storage

If you have mobile management enabled, you can allow or disallow external media storage for your users. Disabling external media storage prevents users from moving data and applications from and to the device.

For more details, see the table below.

Setting

External media storage

Status

Specifies the number of organizational units where external media storage is allowed

Recommendation

Make sure you have enabled mobile management in Advanced mode, and then configure your settings to not allow users to use external media for storage. This reduces the risk of data leaks.